hawkeye_reborn | 40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2

General

Target

40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
Size

966KB
MD5

f51e87a9c3b3674eecaf153c46bfc917
SHA1

a9844ecf9c67806626d771cf4514ea7d5a9e9885
SHA256

40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2
SHA512

3bfb6a5a20190ffcdc8748aeedbb8f09fd150ced71c0ca3dc04e311736ff164b914a2a5e7c101f78929dff7f8ea78af97db4f957965e911ab691ec50736f62dc

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/4816-136-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

4816 svhost.exe

pid	process
4816	svhost.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 bot.whatismyipaddress.com

flow	ioc
23	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe

description	pid	process	target process
PID 4828 set thread context of 4816	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	svhost.exe

Drops file in Windows directory 3 IoCs

Processes:

40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
File created	C:\Windows\assembly\Desktop.ini	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\Equipment.exe:Zone.Identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\Equipment.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe

pid	process
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe

description pid process

Token: SeDebugPrivilege 4828 40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe

description	pid	process
Token: SeDebugPrivilege	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.execmd.exe

description	pid	process	target process
PID 4828 wrote to memory of 4320	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	cmd.exe
PID 4828 wrote to memory of 4320	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	cmd.exe
PID 4828 wrote to memory of 4320	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	cmd.exe
PID 4320 wrote to memory of 840	4320	cmd.exe	reg.exe
PID 4320 wrote to memory of 840	4320	cmd.exe	reg.exe
PID 4320 wrote to memory of 840	4320	cmd.exe	reg.exe
PID 4828 wrote to memory of 4816	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	svhost.exe
PID 4828 wrote to memory of 4816	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	svhost.exe
PID 4828 wrote to memory of 4816	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	svhost.exe
PID 4828 wrote to memory of 4816	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	svhost.exe
PID 4828 wrote to memory of 4816	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	svhost.exe
PID 4828 wrote to memory of 4816	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	svhost.exe
PID 4828 wrote to memory of 4816	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	svhost.exe
PID 4828 wrote to memory of 4816	4828	40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe
"C:\Users\Admin\AppData\Local\Temp\40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\Equipment.exe.lnk" /f
    3⤵
    PID:840
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\Equipment.exe

Filesize
966KB

MD5
f51e87a9c3b3674eecaf153c46bfc917

SHA1
a9844ecf9c67806626d771cf4514ea7d5a9e9885

SHA256
40f9d78bc1e149db83128629109165f6dd0830506c2c2690212015bc43692ab2

SHA512
3bfb6a5a20190ffcdc8748aeedbb8f09fd150ced71c0ca3dc04e311736ff164b914a2a5e7c101f78929dff7f8ea78af97db4f957965e911ab691ec50736f62dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
memory/840-132-0x0000000000000000-mapping.dmp

Download
memory/4320-131-0x0000000000000000-mapping.dmp

Download
memory/4816-139-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4816-136-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4816-135-0x0000000000000000-mapping.dmp

Download
memory/4816-141-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4816-142-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-133-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-130-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-140-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads